Summary: Disable passing query strings through Special:Random
           Product: MediaWiki
           Version: 1.17
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: Special pages

1.17 has a new feature that allows tacking a query string onto the usual
Special:Random syntax, resulting in loading an URL that combines the
randomly-selected page name and the query string. This feature is not at all
well thought-out; it can be used to construct an auto-vandalism URL to post
anywhere you like on the Web, resulting in distributed mass-vandalism. Likewise
a smart vandal can copy-and paste a handcrafted URL many times to vandalize
many pages quickly. There are other bad things you can automate with this as
well. I'm not going to post an example URL here, but any developer should feel
free to mail me if you want one. Please disable this.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

Wikibugs-l mailing list

Reply via email to